Security Report Table of Contents

Security Report

Application Name: MQv9x (OpenSource)

Business Impact: Medium

Report Name: MQv9x (OpenSource)_20200609_17_20_28

Summary of security issues High severity issues: 3 Medium severity issues: 6 ______Total security issues: 9

Table of Contents

Summary

Issues

Fix-Groups

Common Open Source: : ant.jar Common Open Source: : ant-junitlauncher.jar Common Open Source: : bcprov-jdk15on.jar Common Open Source: : commons-codec.jar

1 Common Open Source: : commons-collections.jar Common Open Source: : log4j.jar Common Open Source: : log4j-core.jar

Advisories

Summary

Total security issues: 9

Issue Types: 1

Number of Issues

OpenSource 9

Critical High Medium Low Informational

Issues - By Fix Groups:

M Common Open Source: : ant.jar

Fix Group ID: 38fc2e2c-da9c-ea11-86e9-00155d55406c Status: Undefined Date: 2020-05-23 09:45:55Z Library name: ant.jar Notes:

Advisory:

Issue 1 of 2

Issue ID: 3dfc2e2c-da9c-ea11-86e9-00155d55406c

Severity: Medium Status Open Classification Definitive Fix Group ID: 38fc2e2c-da9c-ea11-86e9-00155d55406c Location F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant.jar Source File F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945

Issue 1 of 2 - Details

Name: CVE-2020-1945

4 Description: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Resolution: Upgrade to version org.apache.ant:ant:1.9.15,1.10.8 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945

Issue 1 of 2 - Audit Trail 05/23/2020 09:45:55 IssueTypeName: → OpenSource Status: → New Location: → F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant.jar Severity: → Medium Scanner: → AppScan Static Analyzer 05/25/2020 19:11:52 WMQ Infrastructure Status: New → Open TaskID

Issue 2 of 2

Issue ID: cd5fcdc7-e39c-ea11-86e9-00155d55406c

Severity: Medium Status Open Classification Definitive Fix Group ID: 38fc2e2c-da9c-ea11-86e9-00155d55406c Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945

Issue 2 of 2 - Details

Name: CVE-2020-1945 Description: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Resolution: Upgrade to version org.apache.ant:ant:1.9.15,1.10.8 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945

Issue 2 of 2 - Audit Trail 05/23/2020 10:54:33 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant.jar Severity: → Medium

5 Scanner: → AppScan Static Analyzer 05/25/2020 19:11:55 WMQ Infrastructure Status: New → Open TaskID

M Common Open Source: : ant-junitlauncher.jar

Fix Group ID: 69557d0e-d9a7-ea11-86e9-00155d550e89 Status: Open Date: 2020-06-06 09:35:36Z Library name: ant-junitlauncher.jar Notes:

Advisory:

Issue 1 of 1

Issue ID: 6a557d0e-d9a7-ea11-86e9-00155d550e89

Severity: Medium Status Open Classification Definitive Fix Group ID: 69557d0e-d9a7-ea11-86e9-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant-junitlauncher.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant-junitlauncher.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, June 6, 2020 Last Updated Monday, June 8, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945

Issue 1 of 1 - Details

Name: CVE-2020-1945 Description: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Resolution: Upgrade to version org.apache.ant:ant-junitlauncher:1.10.8;org.apache.ant:ant:1.9.15,1.10.8 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-1945

Issue 1 of 1 - Audit Trail 06/06/2020 09:35:36 IssueTypeName: → OpenSource

6 Status: → New Location: → F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant- junitlauncher.jar Severity: → Medium Scanner: → AppScan Static Analyzer 06/06/2020 09:42:54 Location: F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\ant\lib\ant- junitlauncher.jar → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/ant/lib/ant- junitlauncher.jar 06/08/2020 19:07:52 WMQ Infrastructure Status: New → Open TaskID

M Common Open Source: : bcprov-jdk15on.jar

Fix Group ID: 301afbae-d3ec-e911-b5e9-00155d550e89 Status: Undefined Date: 2019-10-12 09:36:02Z Library name: bcprov-jdk15on.jar Notes:

Advisory:

Issue 1 of 1

Issue ID: 9caed317-daa7-ea11-86e9-00155d550e89

Severity: Medium Status Open Classification Definitive Fix Group ID: 301afbae-d3ec-e911-b5e9-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/bcprov-jdk15on.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/bcprov-jdk15on.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, June 6, 2020 Last Updated Monday, June 8, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17359

Issue 1 of 1 - Details

Name: CVE-2019-17359

7 Description: The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64. Resolution: Upgrade to version org.bouncycastle:bcprov-jdk15on:1.64 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17359

Issue 1 of 1 - Audit Trail 06/06/2020 09:42:54 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/bcprov- jdk15on.jar Severity: → Medium Scanner: → AppScan Static Analyzer 06/08/2020 19:07:53 WMQ Infrastructure Status: New → Open TaskID

M Common Open Source: : commons-codec.jar

Fix Group ID: 9d942329-5c08-ea11-828b-00155d550e89 Status: Undefined Date: 2019-11-16 10:30:51Z Library name: commons-codec.jar Notes:

Advisory:

Issue 1 of 1

Issue ID: 7b6ddbf8-008e-ea11-a94c-00155d550e89

Severity: Medium Status Open Classification Definitive Fix Group ID: 9d942329-5c08-ea11-828b-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/commons-codec.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/commons-codec.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Monday, May 4, 2020 Last Updated Saturday, June 6, 2020 CVE https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8 b113

8 Issue 1 of 1 - Details

Name: 2019-0379 Description: Apache commons-codec before version ?commons-codec-1.13-RC1? is vulnerable to information disclosure due to Improper Input validation. Resolution: Upgrade to version 1.13-RC1 URL: https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113

Issue 1 of 1 - Audit Trail 05/04/2020 IssueTypeName: → OpenSource 12:15:45 Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/commons- codec.jar Severity: → Medium Scanner: → AppScan Static Analyzer 05/04/2020 WMQ Infrastructure Status: New → Open 19:05:39 TaskID

H Common Open Source: : commons-collections.jar

Fix Group ID: 37fc2e2c-da9c-ea11-86e9-00155d55406c Status: Open Date: 2020-05-23 09:45:55Z Library name: commons-collections.jar Notes:

Advisory:

Issue 1 of 2

9 Issue ID: d05fcdc7-e39c-ea11-86e9-00155d55406c

Severity: High Status Open Classification Definitive Fix Group ID: 37fc2e2c-da9c-ea11-86e9-00155d55406c Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/lib/commons-collections.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/lib/commons-collections.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708

Issue 1 of 2 - Details

Name: CVE-2017-15708 Description: In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. Resolution: Upgrade to version org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons- collections:3.2.2 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708

Issue 1 of 2 - Audit Trail 05/23/2020 10:54:33 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqft/lib/commons- collections.jar Severity: → High Scanner: → AppScan Static Analyzer 05/25/2020 19:11:55 WMQ Infrastructure Status: New → Open TaskID

Issue 2 of 2

10 Issue ID: 903d2732-da9c-ea11-86e9-00155d55406c

Severity: High Status Open Classification Definitive Fix Group ID: 37fc2e2c-da9c-ea11-86e9-00155d55406c Location F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\lib\commons-collections.jar Source File F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\lib\commons-collections.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Monday, May 25, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2017-15708

Issue 2 of 2 - Details

Issue 2 of 2 - Audit Trail 05/23/2020 09:45:55 IssueTypeName: → OpenSource Status: → New Location: → F:\build\slot1\p920_P\obj\amd64_nt_4\ship\mqm\mqft\lib\commons- collections.jar Severity: → High Scanner: → AppScan Static Analyzer 05/25/2020 19:11:53 WMQ Infrastructure Status: New → Open TaskID

H Common Open Source: : log4j.jar

11 Fix Group ID: 2f8d06f4-5e34-ea11-add2-00155d550e89 Status: Undefined Date: 2020-01-11 10:41:49Z Library name: log4j.jar Notes:

Advisory:

Issue 1 of 1

Issue ID: 3e5203af-6d95-ea11-86e9-00155d55406c

Severity: High Status Open Classification Definitive Fix Group ID: 2f8d06f4-5e34-ea11-add2-00155d550e89 Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Wednesday, May 13, 2020 Last Updated Saturday, June 6, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571

Issue 1 of 1 - Details

Name: CVE-2019-17571 Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Resolution: Upgrade to version org.apache.logging.log4j:log4j-core:2.0-alpha1 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2019-17571

Issue 1 of 1 - Audit Trail 05/13/2020 23:01:40 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j.jar Severity: → High Scanner: → AppScan Static Analyzer 05/14/2020 09:32:23 WMQ Infrastructure Status: New → Open TaskID

12 M Common Open Source: : log4j-core.jar

Fix Group ID: c45fcdc7-e39c-ea11-86e9-00155d55406c Status: Open Date: 2020-05-23 10:54:33Z Library name: log4j-core.jar Notes:

Advisory:

Issue 1 of 1

Issue ID: c75fcdc7-e39c-ea11-86e9-00155d55406c

Severity: Medium Status Open Classification Definitive Fix Group ID: c45fcdc7-e39c-ea11-86e9-00155d55406c Location /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j-core.jar Source File /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j-core.jar Availability Impact Partial Confidentiality Impact Partial Integrity Impact Partial Date Created Saturday, May 23, 2020 Last Updated Saturday, June 6, 2020 CVE https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-9488

Issue 1 of 1 - Details

Name: CVE-2020-9488 Description: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Resolution: Upgrade to version org.apache.logging.log4j:log4j-core:2.13.2 URL: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2020-9488

Issue 1 of 1 - Audit Trail 05/23/2020 10:54:33 IssueTypeName: → OpenSource Status: → New Location: → /build/slot1/p920_P/obj/amd64_linux_2/ship/opt/mqm/mqbc/prereqs/log4j- core.jar Severity: → Medium Scanner: → AppScan Static Analyzer 05/25/2020 19:11:53 WMQ Infrastructure Status: New → Open TaskID

Advisories